Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)

Question

In Veracode report I am getting Error CWE 93 in some of the java files. In Instance of static scan some code is

MimeMessage msg = new MimeMessage(session); msg.setFrom(new InternetAddress(msmtpfrom));

2.msg.setRecipients(Message.RecipientType.TO, address);

How do i resolve ?

Thanks in Advance

I think this question is related to https://stackoverflow.com/questions/55705862/improper-neutralization-of-crlf-sequences-in-http-headers — sidnc86, Apr 16 '19 at 11:02
This resource might help you understand the kind of attack better: https://www.veracode.com/security/crlf-injection — sidnc86, Apr 16 '19 at 11:08

score 0 · Accepted Answer · answered Apr 16 '19 at 11:23

0

Just replace the CRLF occurrences in your string variables like msmtpfrom, address with empty string (""). Have a look at similar question that has relevant answers: How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"

answered Apr 16 '19 at 11:23

sidnc86

1 Answers1